Interview with NetApp's Storage Security Expert



This is a summary of an interview between SafeNet and NetApp’s Mike Wong, a technical marketing engineer and acting product manager responsible for NetApp storage security solutions.  The impetus for this interview was SafeNet’s recent announcement of StorageSecure in partnership with NetApp.


Q: How did NetApp get into the encryption game?

A: NetApp customers store their most valuable data on our equipment and we’ve always believed in providing the strongest security technologies available. In 2005, NetApp acquired Decru, whose flagship products were storage encryption solutions, and I actually came on board in that acquisition. As part of NetApp, we’ve developed innovative ways to protect data at rest, and we’ve also looked to foster partnerships with industry leaders who complement our solution delivery. One of these partners is SafeNet. SafeNet has demonstrated leadership in the encryption and key management space, and has been able to help take our encryption product line to the next level.


Q: So what solutions are available today from SafeNet and NetApp?

A: We currently have KeySecure and StorageSecure. KeySecure is a key manager, and the successor to NetApp LKM appliance. StorageSecure is an Ethernet-based encryption solution that is the successor to DataFort. The SafeNet StorageSecure appliance brings a number of improvements to the original platform.  For example, where DataFort was available only in 1 GbE, StorageSecure has both a 1 GbE and a 10 GbE model to handle the increasing data storage needs of our customers today. KeySecure is able to store and manage keys for not just StorageSecure, but a plethora of other encryption products which support the Key Management Interoperability Protocol (KMIP).

The way I like to explain the product interaction between SafeNet and NetApp is that NetApp is the storage at the end of the data path, the customer is the host, and StorageSecure sits in between to encrypt information at the storage level, and then decrypt data at the host level. NetApp is the storage vendor and SafeNet offers products to help our customers protect that storage.


Q: What are some of the common use cases where organizations would need encrypted storage?

A: One of the biggest use cases for encrypted storage is virtualization, which is an area of expertise for NetApp. Many service providers want the ability to compartmentalize their storage systems to offer multi-tenancy. In the old paradigm, if a storage provider had customers A, B and C – who may all be competitors – they would need three separate systems to ensure separation of data. Now, providers are able to combine systems and compartmentalize with virtual storage running a single system. From the customer’s point of view, it looks like they have a separate, dedicated storage system, but really it’s just a virtual environment running on one central machine.

The financial sector has always been keen on encryption. Banks, for example, have been interested for a long time and are using encrypted storage. There’s also been a resurgence in the healthcare industry. This past year, numerous healthcare organizations have been asking for encrypted storage for HIPAA and HITECH compliance.

Many service providers tell me that their customers in other industries are coming to them and asking for encryption options, primarily for regulatory compliance such as PCI and California SB 1386.


Q: What’s unique about StorageSecure and how does that help NetApp customers?

A: The unique thing about StorageSecure is that its encryption is so granular.  Storage admins are able to enforce policies, compartmentalize, and separate data in ways that no one else is able to today. StorageSecure provides granular encryption for data at rest, encrypting at the CIFS and NFS level. Storage providers have the choice to able to encrypt at the vFiler level so the entire volume is encrypted, or simply shares within the virtual construct. NetApp customers such as ISPs are now able to offer their clients different tiers of storage, depending on whether they want just compartmentalized storage, or compartmentalized and encrypted storage.


Q: Where can people go to find out more about StorageSecure and NetApp storage solutions?

A: Both NetApp and SafeNet will be at VMworld next week, so attendees can stop by either of our booths for information. NetApp is at booth 1402 and SafeNet is at booth 1901. I’ll actually be presenting in the SafeNet booth at 3pm on Monday and Wednesday about securing storage in virtual environments. We also have several digital resources available on the web. My sessions will be posted to NetAppTV and is always a fantastic resource. For information on StorageSecure, visit, and for information on KeySecure visit


Mike McNamara


What is the option for encyrpting data that has been deduplicated and needs to be encrypted?  I was in front of another vendor that does not dedupe (go guess) and they said that if you had to encrypt your data, all the dedupe data would no longer be present.


disks capable of encryption - dedupe would happen before laying down of data to the disks, which encrypt what is handed to them

NetApp has 3 approaches to encryption of data at rest.

  1. NetApp Storage Encryption
    • Disk level encryption that offers compatibility with dedupe and compression as well as the majority of Data ONTAP features:  SnapDrive, SnapMirror, SnapVault, SnapManager, etc
    • Encryption is done at the entire system level
    • The key is encryption is done at the drive level at the last step.  All other features happen at WAFL layer above the drive
  2. Brocade Encryption Switch
    • LUN level encryption of disk
    • Can be specific only to LUNs that have sensitive data
    • Lose storage efficiency on just the encrypted data while rest of LUNs remain cleartext and can participate in storage efficiency
  3. SafeNet StorageSecure
    • Encryption at the CIFS share or NFS export level
    • Encrypt just what you need encrypted at the file and folder level
    • Sacrifice storage efficiency on the encrypted part, but rest of data can participate in storage efficiency

With #1  above, we can work with storage efficiency.  With the other 2 solutions, you can localize the amount of data which will be encrypted and reduce loss of storage efficiency on just the data that needs to be encrypted.

Hope this helps.

Will smb3 give us encryption on the wire at last?

SMB 3.0 in Windows 8 and Server 2012 has the ability to encrypt the SMB data while it’s in transit, at a much lower cost than deploying other in-transit encryption solutions such as IPsec. Encryption in transit protects the communications from eavesdropping if intercepted as it passes through the network.